1. Security Control Assessment
Agencies are required to periodically assess the security controls in place on their information systems. This includes assessing the effectiveness of the controls and identifying any deficiencies.
2. Configuration Management
Agencies must manage the configuration of their information systems in a secure manner. This includes ensuring that only authorized users have access to system settings and that changes are properly documented.
3. Identification and Authentication
Agencies must use strong identification and authentication methods to ensure that only authorized users can access their information systems. This includes using unique user IDs and passwords, and employing effective authentication mechanisms such as two-factor authentication.
4. Incident Response
Agencies must have a plan in place for responding to incidents that occur on their information systems. This includes detecting, investigating, and mitigating incidents.
5. Access Controls
Agencies must use effective access controls to restrict access to their information systems to authorized users only. This includes using least privilege and need-to-know principles and controlling who has access to what data.
6. Awareness and Training
Agencies must provide employees with awareness and training on how to protect the confidentiality, integrity, and availability of the agency’s information assets. This includes training on how to identify phishing attacks and other malicious threats.
7. Physical Security
Agencies must take steps to secure their physical facilities where their information systems are housed. This includes installing physical security measures such as locks and alarms, and restricting access to authorized personnel only.
8. Systems and Software Development Security
Agencies must take steps to ensure the security of their software development processes. This includes using secure coding practices, validating input data, and testing software for vulnerabilities.
9. Telecommunications and Network Security
Agencies must take steps to secure their telecommunications networks and protect against unauthorized access or interception of data transmitted over them. This includes using firewalls, intrusion detection/prevention systems, and other security measures.
10. Continuity of Operations
Agencies must have plans in place for ensuring the continued operation of their information systems in the event of a disaster or interruption of service. This includes having backups of data and systems, and having alternate site locations where systems can be operated in the event of a disaster.